Service providers and extreme ownership

You’ve may have heard of the book “Extreme Ownership”. It’s written by a couple of former Navy SEALs — Jocko Willink and Leif Babin. In addition to being a New York Times bestseller, it holds what is perhaps a higher distinction: it’s a business and leadership book that I’ve read and didn’t immediately want to add to my collection of emergency toilet paper. A rare honor indeed. Most business books are not so lucky.

In fact, not only have I read it, I’ve read it more than once — because I really enjoyed it, and it’s come up in multiple contexts for me over the years.

By way of a very truncated overview, the core concept of “Extreme Ownership” is you do literally everything you can to deliver a successful outcome, wether that is for yourself, your team, your customers or all of the above. There are no boundaries, no waiting around for other people to decide to do things, you just up and run with it, and drag everyone else along with you. And if you do that, your chances of winning are dramatically increased.

As a consumer, I prefer being a customer of an organization that practices extreme ownership. Amazon, of course, is famous for its customer centricity, and that is likely a big part of why they have everyone’s money. Customer centricity is essentially extreme ownership. They fix problem a customer has themselves, even if it wasn’t necessarily their issue to begin with.

If you have an problem with a product you order from Amazon, say it was destroyed in transit by the mail carrier, or a counterfeit product from a marketplace seller, you only have to so much as think of asking for a replacement, and a member of the Amazon executive team appears in your driveway, riding astride a drone, with a replacement item in hand.

As an information security person, I like the extreme ownership concept, because ‘winning’ in my case is ensuring the confidentiality, integrity, and availability of the information myself and the team have been entrusted with. A goal that will always involve an entire company, but one that you can really steer in the right direction if you’re willing to jump in through the sunroof of the moving vehicle that is the organization, rather than waiting until you’re invited to have a quick go around the parking lot at the weekend when no one is looking.

I also really like working with vendors and service providers who practice extreme ownership, for much the same reason — I know people there are going to be driving things in the right direction. Unfortunately though, not all vendors and service providers operate to the standards we’d expect. That’s why we all do vendor management, right…

I’ve found an interesting way to determine how likely a vendor is to be closer to the principles of extreme ownership than not, is to take a look at that vendors ‘service status’ page. Most vendors have one these days if they are involved in the delivery of some software, platform, or infrastructure-as-a-service offering. A status page is designed as a lightweight, basic web property that can be used to relay information to you, the customer, about the health of the service, and provide updates when things have gone wrong. They also usually have a record of historical incidents and events which make for interesting reading.

The status page is a goldmine of clues as to the type of organization you’re going to be working with. Here are some of the things to look out for:

Does the service provider frequently throw their service providers under the bus during incidents? If you see things in the incident history like ‘we’re experiencing an outage due to an upstream issue at $Cloud Provider, we have no ETA for recovery at the moment’, that’s a big ol’ red flag. They are effectively admitting they have a single point of failure they can’t control. All the major cloud providers provide options for building in a resilient way. If they haven’t, and they’ve had an outage because of it, have they made changes since that particular outage? If not, why not?

Does the service provider list another vendor as a ‘component’ in their system? A service provider’s status page should be just that — specific to that service provider. Something I really don’t like, is when a service provider lists the status of their third party vendor on the status page, as though it was a component in their own system that they have some degree of ‘say’ over. I mean, I get why, all companies are customers of other companies — but it’s not my job as a customer monitor the health of your service providers, right? I’ve got enough to be getting on with. I’ve seen this more and more often, and it worries me that it’s becoming the norm, as though its an acceptable practice. It shouldn’t be.

Does the status page show a clean bill of health, with several years of no incidents? If this is the case, it’s very likely the vendor might not be super transparent when it comes to using their status page to accurately report things. Extreme ownership means owning things through the good, and the bad.

How detailed are the updates during incidents? While being generally supportive of the concept ‘aviate, navigate, communicate’, a pilot’s priority list in the event of a mishap, having a bit more detail in updates is never going to be a bad thing. If you just say five-hundred entires of ‘we’re working on it’, or similar, how useful is that going to be during an incident? See also: writing ‘bug fixes and performance improvements’ in release notes.

Those are just some of the very useful bits of information you can pick up on from a service providers status page. Make checking them out something you do as part of your vendor due diligence process. You might just find yourself a vendor that practices extreme ownership, in which case, everyone wins.